tomcat8: CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651

Debian Bug report logs - #860071
tomcat8: CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: tomcat8: CVE-2017-5651

Date: Tue, 11 Apr 2017 06:47:03 +0200

Source: tomcat8
Version: 8.5.11-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for tomcat8.

CVE-2017-5651[0]:
|The refactoring of the HTTP connectors for 8.5.x onwards, introduced a
|regression in the send file processing. If the send file processing
|completed quickly, it was possible for the Processor to be added to the
|processor cache twice. This could result in the same Processor being
|used for multiple requests which in turn could lead to unexpected errors
|and/or response mix-up.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5651
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5651

Regards,
Salvatore

Message #18 received at 860068-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 860068-close@bugs.debian.org

Subject: Bug#860068: fixed in tomcat8 8.5.11-2

Date: Wed, 12 Apr 2017 12:19:12 +0000

Source: tomcat8
Source-Version: 8.5.11-2

We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860068@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated tomcat8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 12 Apr 2017 09:58:46 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libtomcat8-embed-java libservlet3.1-java libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source
Version: 8.5.11-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API documenta
 libtomcat8-embed-java - Apache Tomcat 8 - Servlet and JSP engine -- embed libraries
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 860068
Changes:
 tomcat8 (8.5.11-2) unstable; urgency=medium
 .
   * Team upload.
   * Fix the following security vulnerabilities (Closes: #860068):
     Thanks to Salvatore Bonaccorso for the report.
    - CVE-2017-5647:
      A bug in the handling of the pipelined requests when send file was used
      resulted in the pipelined request being lost when send file processing of
      the previous request completed. This could result in responses appearing
      to be sent for the wrong request. For example, a user agent that sent
      requests A, B and C could see the correct response for request A, the
      response for request C for request B and no response for request C.
    - CVE-2017-5648:
      It was noticed that some calls to application listeners did not use the
      appropriate facade object. When running an untrusted application under a
      SecurityManager, it was therefore possible for that untrusted application
      to retain a reference to the request or response object and thereby access
      and/or modify information associated with another web application.
    - CVE-2017-5650:
      The handling of an HTTP/2 GOAWAY frame for a connection did not close
      streams associated with that connection that were currently waiting for a
      WINDOW_UPDATE before allowing the application to write more data. These
      waiting streams each consumed a thread. A malicious client could therefore
      construct a series of HTTP/2 requests that would consume all available
      processing threads.
    - CVE-2017-5651:
      The refactoring of the HTTP connectors for 8.5.x onwards, introduced a
      regression in the send file processing. If the send file processing
      completed quickly, it was possible for the Processor to be added to the
      processor cache twice. This could result in the same Processor being used
      for multiple requests which in turn could lead to unexpected errors and/or
      response mix-up.
   *  debian/control: tomcat8: Fix Lintian error and depend on lsb-base.
Checksums-Sha1:
 b07cfdae4c9833e73465ee434c1d4b706859cb39 3088 tomcat8_8.5.11-2.dsc
 019f6dbd06a6327f57567244a2248353f56d6d3e 45956 tomcat8_8.5.11-2.debian.tar.xz
 5468a9cd8386358fb683764f3d3f8f678d0a4479 13448 tomcat8_8.5.11-2_amd64.buildinfo
Checksums-Sha256:
 ace4b04910808599fd769221054afea53b75d2405fb0cafe9918e5c74d930efe 3088 tomcat8_8.5.11-2.dsc
 22d22c58d4448d185c166b5e6585d5955be6d41a4a27d4ec6f52f2b0f5279407 45956 tomcat8_8.5.11-2.debian.tar.xz
 b4f70d38dfb6687d340ab32f0c3690960ac1e0892dde3e7fd486c5647eaf236a 13448 tomcat8_8.5.11-2_amd64.buildinfo
Files:
 0f2c32cce9287214efbbfcbc02358238 3088 java optional tomcat8_8.5.11-2.dsc
 09c42f3d51d3788d63a42cdaf11d2d76 45956 java optional tomcat8_8.5.11-2.debian.tar.xz
 e6048a67c2b73df2ff51f8da513029aa 13448 java optional tomcat8_8.5.11-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKiBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljuGNVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkFpwP8wRf3aHpIkAAYXJi/55HdfjV6fp576UaCsdl
yQP6rHgyPjmZ3W7x5RaApiAVp2TfYIbeV7hG9CDc+PswTCkDViNkf8YBE3fkxAqD
BbmLtGJi38kV1rq2hajuR6s5sdRvOphuX5EdaKp8/iMjutTMd9E0VWRIzDYb4nyf
U9a4MTbtUxauJg1ILF+MuEEFHJ0sGyGWLHMKNs219jva/B7ILG+7d/oCST7Dlvny
e/fNTW3N2CRUfIafrJFNNX4OFUlapHBqruWn4/SNW7mrx/S0tOv0i3OlVVkLO6F9
V/AiDptQe0jeg/QuNRNv5EykP/kxo2VKoh+/jNchcH0UadG9tG2Beu4BqlcXbs5M
Tz/lPCk2Ee27yl3BmWJRVQcOxBMjIfG0yCepiTZS/saz9xyD2g6qSC8cgd5XT7F6
4DuKRj2q+RiriJ9HZonhl/qELh6XogC8IxUTi23+f9fN68yGJ83kvCi/+2T0rhqZ
BQ/8QQXNvaWW3LW3W0MaQZnYLdUSf0TUZJCcZGlAm6cdFWizw2DDQfVGzcXlLNMH
ralqKEiG/t3vFZftW2YysyyQraVNPz4LgRPHuRTnQ7wr64gachKNnXxOOIPDKbS+
919NOIZ+KgXO4rrwI0eNQ4rH8CunRuOXaNocNJOoaarFSTW2ARPdFJoWEcqkxHL7
5OLXAF8=
=hsJ8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.